Documentation
¶
Index ¶
- Variables
- func ErrInvalidAssignmentData(assignment string) errutil.TemplateData
- func ErrInvalidParamData(param string, err error) errutil.TemplateData
- func ErrInvalidPermissionData(permission string) errutil.TemplateData
- func ErrInvalidRequestBodyData(reason string) errutil.TemplateData
- func GetActionSetName(resource, permission string) string
- func NewStore(cfg *setting.Cfg, sql db.DB, features featuremgmt.FeatureToggles) *store
- type ActionSet
- type ActionSetService
- type Assignments
- type BuiltinResourceHookFunc
- type DeleteResourcePermissionsCmd
- type Description
- type DescriptionResponse
- type FakeActionSetSvc
- func (f *FakeActionSetSvc) ExpandActionSets(permissions []accesscontrol.Permission) []accesscontrol.Permission
- func (f *FakeActionSetSvc) ResolveAction(action string) []string
- func (f *FakeActionSetSvc) ResolveActionSet(actionSet string) []string
- func (f *FakeActionSetSvc) StoreActionSet(resource, permission string, actions []string)
- type GetResourceDescriptionParams
- type GetResourcePermissionsParams
- type GetResourcePermissionsQuery
- type InMemoryActionSets
- func (s *InMemoryActionSets) ExpandActionSets(permissions []accesscontrol.Permission) []accesscontrol.Permission
- func (s *InMemoryActionSets) GetActionSet(actionName string) []string
- func (s *InMemoryActionSets) ResolveAction(action string) []string
- func (s *InMemoryActionSets) ResolveActionSet(actionSet string) []string
- func (s *InMemoryActionSets) StoreActionSet(resource, permission string, actions []string)
- type InheritedScopesSolver
- type Options
- type ResourceHooks
- type ResourceValidator
- type Service
- func (s *Service) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error
- func (s *Service) GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
- func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetPermissions(ctx context.Context, orgID int64, resourceID string, ...) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, ...) (*accesscontrol.ResourcePermission, error)
- type SetResourcePermissionCommand
- type SetResourcePermissionsCommand
- type SetResourcePermissionsForBuiltInRoleParams
- type SetResourcePermissionsForTeamParams
- type SetResourcePermissionsForUserParams
- type SetResourcePermissionsParams
- type Store
- type TeamResourceHookFunc
- type User
- type UserResourceHookFunc
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrInvalidParam = errutil.BadRequest("resourcePermissions.invalidParam"). MustTemplate(invalidParamMessage, errutil.WithPublic(invalidParamMessage)) ErrInvalidRequestBody = errutil.BadRequest("resourcePermissions.invalidRequestBody"). MustTemplate(invalidRequestBody, errutil.WithPublic(invalidRequestBody)) ErrInvalidPermission = errutil.BadRequest("resourcePermissions.invalidPermission"). MustTemplate(invalidPermissionMessage, errutil.WithPublic(invalidPermissionMessage)) ErrInvalidAssignment = errutil.BadRequest("resourcePermissions.invalidAssignment"). MustTemplate(invalidAssignmentMessage, errutil.WithPublic(invalidAssignmentMessage)) )
Functions ¶
func ErrInvalidAssignmentData ¶
func ErrInvalidAssignmentData(assignment string) errutil.TemplateData
func ErrInvalidParamData ¶
func ErrInvalidParamData(param string, err error) errutil.TemplateData
func ErrInvalidPermissionData ¶
func ErrInvalidPermissionData(permission string) errutil.TemplateData
func ErrInvalidRequestBodyData ¶
func ErrInvalidRequestBodyData(reason string) errutil.TemplateData
func GetActionSetName ¶
GetActionSetName function creates an action set from a list of actions and stores it inmemory.
func NewStore ¶
func NewStore(cfg *setting.Cfg, sql db.DB, features featuremgmt.FeatureToggles) *store
Types ¶
type ActionSet ¶
ActionSet is a struct that represents a set of actions that can be performed on a resource. An example of an action set is "folders:edit" which represents the set of RBAC actions that are granted by edit access to a folder.
type ActionSetService ¶
type ActionSetService interface {
// ActionResolver defines method for expanding permissions from permissions with action sets to fine-grained permissions.
// We use an ActionResolver interface to avoid circular dependencies
accesscontrol.ActionResolver
// ResolveAction returns all the action sets that the action belongs to.
ResolveAction(action string) []string
// ResolveActionSet resolves an action set to a list of corresponding actions.
ResolveActionSet(actionSet string) []string
StoreActionSet(resource, permission string, actions []string)
}
func NewActionSetService ¶
func NewActionSetService() ActionSetService
NewActionSetService returns a new instance of InMemoryActionSetService.
type Assignments ¶
type BuiltinResourceHookFunc ¶
type Description ¶
type Description struct {
Assignments Assignments `json:"assignments"`
Permissions []string `json:"permissions"`
}
type DescriptionResponse ¶
type DescriptionResponse struct {
// in:body
// required:true
Body Description `json:"body"`
}
swagger:response resourcePermissionsDescription
type FakeActionSetSvc ¶
type FakeActionSetSvc struct {
ExpectedErr error
ExpectedActionSets []string
ExpectedActions []string
ExpectedPermissions []accesscontrol.Permission
}
func (*FakeActionSetSvc) ExpandActionSets ¶
func (f *FakeActionSetSvc) ExpandActionSets(permissions []accesscontrol.Permission) []accesscontrol.Permission
func (*FakeActionSetSvc) ResolveAction ¶
func (f *FakeActionSetSvc) ResolveAction(action string) []string
func (*FakeActionSetSvc) ResolveActionSet ¶
func (f *FakeActionSetSvc) ResolveActionSet(actionSet string) []string
func (*FakeActionSetSvc) StoreActionSet ¶
func (f *FakeActionSetSvc) StoreActionSet(resource, permission string, actions []string)
type GetResourceDescriptionParams ¶
type GetResourceDescriptionParams struct {
// in:path
// required:true
Resource string `json:"resource"`
}
swagger:parameters getResourceDescription
type GetResourcePermissionsParams ¶
type GetResourcePermissionsParams struct {
// in:path
// required:true
Resource string `json:"resource"`
// in:path
// required:true
ResourceID string `json:"resourceID"`
}
swagger:parameters getResourcePermissions
type InMemoryActionSets ¶
type InMemoryActionSets struct {
// contains filtered or unexported fields
}
InMemoryActionSets is an in-memory implementation of the ActionSetService.
func (*InMemoryActionSets) ExpandActionSets ¶
func (s *InMemoryActionSets) ExpandActionSets(permissions []accesscontrol.Permission) []accesscontrol.Permission
func (*InMemoryActionSets) GetActionSet ¶
func (s *InMemoryActionSets) GetActionSet(actionName string) []string
GetActionSet returns the action set for the given action.
func (*InMemoryActionSets) ResolveAction ¶
func (s *InMemoryActionSets) ResolveAction(action string) []string
func (*InMemoryActionSets) ResolveActionSet ¶
func (s *InMemoryActionSets) ResolveActionSet(actionSet string) []string
func (*InMemoryActionSets) StoreActionSet ¶
func (s *InMemoryActionSets) StoreActionSet(resource, permission string, actions []string)
type InheritedScopesSolver ¶
type Options ¶
type Options struct {
// Resource is the action and scope prefix that is generated
Resource string
// ResourceAttribute is the attribute the scope should be based on (e.g. id or uid)
ResourceAttribute string
// OnlyManaged will tell the service to return all permissions if set to false and only managed permissions if set to true
OnlyManaged bool
// ResourceValidator is a validator function that will be called before each assignment.
// If set to nil the validator will be skipped
ResourceValidator ResourceValidator
// Assignments decides what we can assign permissions to (users/teams/builtInRoles)
Assignments Assignments
// PermissionsToAction is a map of friendly named permissions and what access control actions they should generate.
// E.g. Edit permissions should generate dashboards:read, dashboards:write and dashboards:delete
PermissionsToActions map[string][]string
// ReaderRoleName is the display name for the generated fixed reader role
ReaderRoleName string
// WriterRoleName is the display name for the generated fixed writer role
WriterRoleName string
// RoleGroup is the group name for the generated fixed roles
RoleGroup string
// OnSetUser if configured will be called each time a permission is set for a user
OnSetUser func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error
// OnSetTeam if configured will be called each time a permission is set for a team
OnSetTeam func(session *db.Session, orgID, teamID int64, resourceID, permission string) error
// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
OnSetBuiltInRole func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error
// InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource
InheritedScopesSolver InheritedScopesSolver
// LicenseMV if configured is applied to endpoints that can modify permissions
LicenseMW web.Handler
}
type ResourceHooks ¶
type ResourceHooks struct {
User UserResourceHookFunc
Team TeamResourceHookFunc
BuiltInRole BuiltinResourceHookFunc
}
type ResourceValidator ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is used to create access control sub system including api / and service for managed resource permission
func New ¶
func New(cfg *setting.Cfg, options Options, features featuremgmt.FeatureToggles, router routing.RouteRegister, license licensing.Licensing, ac accesscontrol.AccessControl, service accesscontrol.Service, sqlStore db.DB, teamService team.Service, userService user.Service, actionSetService ActionSetService, ) (*Service, error)
func (*Service) DeleteResourcePermissions ¶
func (*Service) GetPermissions ¶
func (s *Service) GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]accesscontrol.ResourcePermission, error)
func (*Service) MapActions ¶
func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
func (*Service) SetBuiltInRolePermission ¶
func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetPermissions ¶
func (s *Service) SetPermissions( ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand, ) ([]accesscontrol.ResourcePermission, error)
func (*Service) SetTeamPermission ¶
func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetUserPermission ¶
func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
type SetResourcePermissionsCommand ¶
type SetResourcePermissionsCommand struct {
User accesscontrol.User
TeamID int64
BuiltinRole string
SetResourcePermissionCommand
}
type SetResourcePermissionsForBuiltInRoleParams ¶
type SetResourcePermissionsForBuiltInRoleParams struct {
// in:path
// required:true
Resource string `json:"resource"`
// in:path
// required:true
ResourceID string `json:"resourceID"`
// in:path
// required:true
BuiltInRole string `json:"builtInRole"`
// in:body
// required:true
Body setPermissionCommand
}
swagger:parameters setResourcePermissionsForBuiltInRole
type SetResourcePermissionsForTeamParams ¶
type SetResourcePermissionsForTeamParams struct {
// in:path
// required:true
Resource string `json:"resource"`
// in:path
// required:true
ResourceID string `json:"resourceID"`
// in:path
// required:true
TeamID int64 `json:"teamID"`
// in:body
// required:true
Body setPermissionCommand
}
swagger:parameters setResourcePermissionsForTeam
type SetResourcePermissionsForUserParams ¶
type SetResourcePermissionsForUserParams struct {
// in:path
// required:true
Resource string `json:"resource"`
// in:path
// required:true
ResourceID string `json:"resourceID"`
// in:path
// required:true
UserID int64 `json:"userID"`
// in:body
// required:true
Body setPermissionCommand
}
swagger:parameters setResourcePermissionsForUser
type SetResourcePermissionsParams ¶
type SetResourcePermissionsParams struct {
// in:path
// required:true
Resource string `json:"resource"`
// in:path
// required:true
ResourceID string `json:"resourceID"`
// in:body
// required:true
Body setPermissionsCommand
}
swagger:parameters setResourcePermissions
type Store ¶
type Store interface {
// SetUserResourcePermission sets permission for managed user role on a resource
SetUserResourcePermission(
ctx context.Context, orgID int64,
user accesscontrol.User,
cmd SetResourcePermissionCommand,
hook UserResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
// SetTeamResourcePermission sets permission for managed team role on a resource
SetTeamResourcePermission(
ctx context.Context, orgID, teamID int64,
cmd SetResourcePermissionCommand,
hook TeamResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
// SetBuiltInResourcePermission sets permissions for managed builtin role on a resource
SetBuiltInResourcePermission(
ctx context.Context, orgID int64, builtinRole string,
cmd SetResourcePermissionCommand,
hook BuiltinResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
SetResourcePermissions(
ctx context.Context, orgID int64,
commands []SetResourcePermissionsCommand,
hooks ResourceHooks,
) ([]accesscontrol.ResourcePermission, error)
// GetResourcePermissions will return all permission for supplied resource id
GetResourcePermissions(ctx context.Context, orgID int64, query GetResourcePermissionsQuery) ([]accesscontrol.ResourcePermission, error)
// DeleteResourcePermissions will delete all permissions for supplied resource id
DeleteResourcePermissions(ctx context.Context, orgID int64, cmd *DeleteResourcePermissionsCmd) error
}
type TeamResourceHookFunc ¶
type UserResourceHookFunc ¶
Source Files
Click to show internal directories.
Click to hide internal directories.